search

mate-desktop / mate-panel

MATE panel
https://mate-desktop.org
GNU General Public License v2.0
185 stars 118 forks source link

Crash in gtk_drag_finish() #1356

Open eleventeen opened 1 year ago

eleventeen commented 1 year ago

Expected behaviour

No crash.

Actual behaviour

Crashes:

(mate-panel:39364): Gtk-CRITICAL **: 11:45:18.947: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
Gtk-Message: 11:45:20.435: gtk_drag_finish 1

Thread 1 "mate-panel" received signal SIGSEGV, Segmentation fault.
0x00007ffff7ac1553 in gtk_drag_finish () from /lib/x86_64-linux-gnu/libgtk-3.so.0
(gdb) bt
#0  0x00007ffff7ac1553 in gtk_drag_finish () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#1  0x00007ffff7ac4a02 in  () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#2  0x00007ffff7ac4f3d in  () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#3  0x00007ffff76252ad in  () at /lib/x86_64-linux-gnu/libgdk-3.so.0
#4  0x00007ffff70d12c8 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff70d0c44 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007ffff71256c8 in  () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x00007ffff70d02b3 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#8  0x00007ffff7941d2d in gtk_main () at /lib/x86_64-linux-gnu/libgtk-3.so.0
#9  0x000055555557d072 in main ()

Log contains my debug message. I've changed the code in gtk_drag_finish() to:

gtk_drag_finish (GdkDragContext *context,
                 gboolean        success,
                 gboolean        del,
                 guint32         time)
{
  GdkAtom target = GDK_NONE;

  g_message("gtk_drag_finish 1\n");
  g_return_if_fail (GDK_IS_DRAG_CONTEXT (context));
  g_message("gtk_drag_finish 2\n");

So it looks like GDK_IS_DRAG_CONTEXT (context) is causing the crash. Even if there is no crash there are problems in logs detected by gtk:

(mate-panel:38208): Gtk-CRITICAL **: 11:30:56.071: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
(mate-panel:38208): Gtk-CRITICAL **: 11:30:56.629: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
(mate-panel:38208): Gtk-CRITICAL **: 11:30:58.160: gtk_drag_finish: assertion 'GDK_IS_DRAG_CONTEXT (context)' failed
(mate-panel:38208): Gtk-CRITICAL **: 11:30:58.160: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
(mate-panel:39364): Gtk-CRITICAL **: 11:45:11.011: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
(mate-panel:39364): Gtk-CRITICAL **: 11:45:13.106: gtk_drag_finish: assertion 'GDK_IS_DRAG_CONTEXT (context)' failed
(mate-panel:39364): Gtk-CRITICAL **: 11:45:13.106: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
(mate-panel:39364): Gtk-CRITICAL **: 11:45:14.100: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
(mate-panel:39364): Gtk-CRITICAL **: 11:45:14.755: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed

I think (not 100% sure though) that before I started to debug it I've seen crashes without GDK_IS_DRAG_CONTEXT in logs short time before crash. I've replaced in mate-panel g_assert(GTK_IS_WIDGET... with a code that returns if the assert has failed (in panel_toplevel_button_press_event() and panel_widget_applet_move_to_cursor()) and since then so far I haven't noticed crashes without GDK_IS_DRAG_CONTEXT in logs. The other change I've made is to change _GNOME_WM_STRUT_AREA (in panel-xutils.c) name to not relevant name (because of this bug, that may be actualy a mate-panel bug: https://bugs.launchpad.net/compiz/+bug/1999342).

Steps to reproduce the behavior

No idea. It happens quite often. It may have something to to with "Show Desktop Button" or "Window List" applet. Or with the fact that I'm using compiz.

MATE general version

1.26 (mate-desktop-environment-core/jammy,jammy,now 1.26.0+1ubuntu6)

Package version

mate-panel/jammy 1.26.2-1 amd64

Linux Distribution

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:    22.04
Codename:   jammy

Link to bugreport of your Distribution (requirement)

?

eleventeen commented 1 year ago

I've added more logs:

g_message("gtk_drag_finish 1, context: %p, success: %d, del: %d\n", context, success, del);

and clearly context is incorrect. Results before 2 crashes:

Gtk-Message: 13:04:24.849: gtk_drag_finish 1, context: 0x1, success: 0, del: 0
Gtk-Message: 13:22:39.511: gtk_drag_finish 1, context: 0x22, success: 0, del: 0

Sometimes context is NULL.

eleventeen commented 1 year ago

Looks like it's easily reproducible:

  1. Move many times widows in "Window List" applet.
  2. Wait. Apparently gtk_drag_finish() is called with a long delay.

You should see in logs many timed "gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed" (I assume it is also a bug). Most likely you will also see many times "gtk_drag_finish: assertion 'GDK_IS_DRAG_CONTEXT (context)' failed" (I assume this is displayed if context in NULL. May it cause memory leaks?). And not as often mate-panel will crash. context will point to not readable memory like 0x1 or 0x200000002.

lukefromdc commented 1 year ago

I was just unable to duplicate this, but machine speed differences could explain that if a race condition is involved, as could different GTK or glib versions etc. On Debian Unstable with locally complied GTK 3.24.34 with a couple of the gtk3-classic patches (affecting treeviews and filechoosers only) applied, and locally compiled glib 2.74.0

correctmost commented 1 year ago

I occasionally see this crash on Arch Linux, but I don't have reliable steps to reproduce the issue. The crash does seem to stem from a drag timeout:

Thread 1 "mate-panel" received signal SIGSEGV, Segmentation fault.
0x00007ffff7382113 in gtk_drag_finish (context=0x6110001d1680, success=0, del=0, time=0) at ../gtk/gtk/gtkdnd.c:961
961       g_return_if_fail (GDK_IS_DRAG_CONTEXT (context));                                                                                                                                                                                   
(gdb) bt
#0  0x00007ffff7382113 in gtk_drag_finish (context=0x6110001d1680, success=0, del=0, time=0) at ../gtk/gtk/gtkdnd.c:961
#1  0x00007ffff7387750 in gtk_drag_drop_finished (info=0x60e00007e200, result=result@entry=GTK_DRAG_RESULT_TIMEOUT_EXPIRED, time=<optimized out>) at ../gtk/gtk/gtkdnd.c:2591
#2  0x00007ffff738796d in gtk_drag_abort_timeout (data=<optimized out>) at ../gtk/gtk/gtkdnd.c:3269
#3  0x00007ffff6f346ae in gdk_threads_dispatch (data=0x603000c65a40, data@entry=<error reading variable: value has been optimized out>) at ../gtk/gdk/gdk.c:769
#4  0x00007ffff68c12ce in g_timeout_dispatch (source=0x60b0000e9350, callback=<optimized out>, user_data=<optimized out>) at ../glib/glib/gmain.c:5054
#5  0x00007ffff68c0a31 in g_main_dispatch (context=0x60f000001300) at ../glib/glib/gmain.c:3460
#6  g_main_context_dispatch (context=0x60f000001300) at ../glib/glib/gmain.c:4200
#7  0x00007ffff691dcc9 in g_main_context_iterate.isra.0 (context=0x60f000001300, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/glib/gmain.c:4276
#8  0x00007ffff68bffef in g_main_loop_run (loop=0x6020001921b0) at ../glib/glib/gmain.c:4479
#9  0x00007ffff71ecf6f in gtk_main () at ../gtk/gtk/gtkmain.c:1329
#10 0x00005555555b3952 in main (argc=1, argv=0x7fffffffe7e8) at main.c:223
ERROR: AddressSanitizer: SEGV on unknown address 0x0000000001b4 (pc 0x7ffff7382113 bp 0x000000000000 sp 0x7fffffffe360 T0)
The signal is caused by a READ memory access.
Hint: address points to the zero page.
    #0 0x7ffff7382113 in gtk_drag_finish (/usr/lib/libgtk-3.so.0+0x382113) (BuildId: bfff5191d91b5f3d382d1ea028f3567e494ea7e8)
    #1 0x7ffff738774f  (/usr/lib/libgtk-3.so.0+0x38774f) (BuildId: bfff5191d91b5f3d382d1ea028f3567e494ea7e8)
    #2 0x7ffff738796c  (/usr/lib/libgtk-3.so.0+0x38796c) (BuildId: bfff5191d91b5f3d382d1ea028f3567e494ea7e8)
    #3 0x7ffff6f346ad  (/usr/lib/libgdk-3.so.0+0x2d6ad) (BuildId: bad6d9eb029c69940450a53f4db3a9235d0117a7)
    #4 0x7ffff68c12cd  (/usr/lib/libglib-2.0.so.0+0x5b2cd) (BuildId: f542e5bef5a6e582109f24638d60b64ba74b957c)
    #5 0x7ffff68c0a30 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x5aa30) (BuildId: f542e5bef5a6e582109f24638d60b64ba74b957c)
    #6 0x7ffff691dcc8  (/usr/lib/libglib-2.0.so.0+0xb7cc8) (BuildId: f542e5bef5a6e582109f24638d60b64ba74b957c)
    #7 0x7ffff68bffee in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x59fee) (BuildId: f542e5bef5a6e582109f24638d60b64ba74b957c)
    #8 0x7ffff71ecf6e in gtk_main (/usr/lib/libgtk-3.so.0+0x1ecf6e) (BuildId: bfff5191d91b5f3d382d1ea028f3567e494ea7e8)
    #9 0x5555555b3951 in main /home/s/code/mate-panel/mate-panel/main.c:223
    #10 0x7ffff652484f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #11 0x7ffff6524909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
    #12 0x5555555b2884 in _start (/usr/local/bin/mate-panel+0x5e884) (BuildId: 40678e46484f760135b9828456a4ca7aa749d1d5)

Versions

mate-desktop - 1.26.1-1 mate-panel - cabfa67556e211f406b76a8e495a44220d565eee glib2 - 2.76.4-1 glibc - 2.37-3 gtk3 - 1:3.24.38-1

correctmost commented 1 year ago

Here's a valgrind trace that seems to indicate a use-after-free.

I randomly drag windows in the Window List, switch between Mate Terminal tabs, open the main menu, and open and close Caja windows until a crash occurs.

==143081== Invalid read of size 4
==143081==    at 0x4C68956: gtk_drag_abort_timeout (gtkdnd.c:3266)
==143081==    by 0x50E66AD: gdk_threads_dispatch (gdk.c:769)
==143081==    by 0x57C12CD: g_timeout_dispatch (gmain.c:5054)
==143081==    by 0x57C0A30: UnknownInlinedFun (gmain.c:3460)
==143081==    by 0x57C0A30: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Address 0xd414380 is 0 bytes after a block of size 32 free'd
==143081==    at 0x484412F: free (vg_replace_malloc.c:974)
==143081==    by 0x57BEF1F: g_source_destroy_internal (gmain.c:1407)
==143081==    by 0x57C0B38: UnknownInlinedFun (gmain.c:3490)
==143081==    by 0x57C0B38: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Block was alloc'd at
==143081==    at 0x4841848: malloc (vg_replace_malloc.c:431)
==143081==    by 0x57C84D2: g_malloc (gmem.c:130)
==143081==    by 0x57BE690: UnknownInlinedFun (gmain.c:1863)
==143081==    by 0x57BE690: g_source_set_callback (gmain.c:1851)
==143081==    by 0x57BF5C5: UnknownInlinedFun (gmain.c:6226)
==143081==    by 0x57BF5C5: g_idle_add_full (gmain.c:6267)
==143081==    by 0x5134E2C: UnknownInlinedFun (gdkasync.c:172)
==143081==    by 0x5134E2C: send_event_handler.lto_priv.0 (gdkasync.c:136)
==143081==    by 0x590280C: handle_response (xcb_io.c:397)
==143081==    by 0x59028E9: _XEventsQueued (xcb_io.c:442)
==143081==    by 0x58F5237: XPending (Pending.c:55)
==143081==    by 0x5140A8D: UnknownInlinedFun (gdkeventsource.c:269)
==143081==    by 0x5140A8D: gdk_event_source_check (gdkeventsource.c:306)
==143081==    by 0x57C0F8D: g_main_context_check (gmain.c:4093)
==143081==    by 0x581DB27: g_main_context_iterate.isra.0 (gmain.c:4273)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081== 
==143081== Invalid read of size 8
==143081==    at 0x4C6873D: gtk_drag_drop_finished.lto_priv.0 (gtkdnd.c:2591)
==143081==    by 0x4C6896C: gtk_drag_abort_timeout (gtkdnd.c:3269)
==143081==    by 0x50E66AD: gdk_threads_dispatch (gdk.c:769)
==143081==    by 0x57C12CD: g_timeout_dispatch (gmain.c:5054)
==143081==    by 0x57C0A30: UnknownInlinedFun (gmain.c:3460)
==143081==    by 0x57C0A30: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Address 0xd414368 is 8 bytes inside a block of size 32 free'd
==143081==    at 0x484412F: free (vg_replace_malloc.c:974)
==143081==    by 0x57BEF1F: g_source_destroy_internal (gmain.c:1407)
==143081==    by 0x57C0B38: UnknownInlinedFun (gmain.c:3490)
==143081==    by 0x57C0B38: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Block was alloc'd at
==143081==    at 0x4841848: malloc (vg_replace_malloc.c:431)
==143081==    by 0x57C84D2: g_malloc (gmem.c:130)
==143081==    by 0x57BE690: UnknownInlinedFun (gmain.c:1863)
==143081==    by 0x57BE690: g_source_set_callback (gmain.c:1851)
==143081==    by 0x57BF5C5: UnknownInlinedFun (gmain.c:6226)
==143081==    by 0x57BF5C5: g_idle_add_full (gmain.c:6267)
==143081==    by 0x5134E2C: UnknownInlinedFun (gdkasync.c:172)
==143081==    by 0x5134E2C: send_event_handler.lto_priv.0 (gdkasync.c:136)
==143081==    by 0x590280C: handle_response (xcb_io.c:397)
==143081==    by 0x59028E9: _XEventsQueued (xcb_io.c:442)
==143081==    by 0x58F5237: XPending (Pending.c:55)
==143081==    by 0x5140A8D: UnknownInlinedFun (gdkeventsource.c:269)
==143081==    by 0x5140A8D: gdk_event_source_check (gdkeventsource.c:306)
==143081==    by 0x57C0F8D: g_main_context_check (gmain.c:4093)
==143081==    by 0x581DB27: g_main_context_iterate.isra.0 (gmain.c:4273)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081== 
==143081== Invalid read of size 4
==143081==    at 0x4C68741: gtk_drag_drop_finished.lto_priv.0 (gtkdnd.c:2591)
==143081==    by 0x4C6896C: gtk_drag_abort_timeout (gtkdnd.c:3269)
==143081==    by 0x50E66AD: gdk_threads_dispatch (gdk.c:769)
==143081==    by 0x57C12CD: g_timeout_dispatch (gmain.c:5054)
==143081==    by 0x57C0A30: UnknownInlinedFun (gmain.c:3460)
==143081==    by 0x57C0A30: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Address 0xd414380 is 0 bytes after a block of size 32 free'd
==143081==    at 0x484412F: free (vg_replace_malloc.c:974)
==143081==    by 0x57BEF1F: g_source_destroy_internal (gmain.c:1407)
==143081==    by 0x57C0B38: UnknownInlinedFun (gmain.c:3490)
==143081==    by 0x57C0B38: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Block was alloc'd at
==143081==    at 0x4841848: malloc (vg_replace_malloc.c:431)
==143081==    by 0x57C84D2: g_malloc (gmem.c:130)
==143081==    by 0x57BE690: UnknownInlinedFun (gmain.c:1863)
==143081==    by 0x57BE690: g_source_set_callback (gmain.c:1851)
==143081==    by 0x57BF5C5: UnknownInlinedFun (gmain.c:6226)
==143081==    by 0x57BF5C5: g_idle_add_full (gmain.c:6267)
==143081==    by 0x5134E2C: UnknownInlinedFun (gdkasync.c:172)
==143081==    by 0x5134E2C: send_event_handler.lto_priv.0 (gdkasync.c:136)
==143081==    by 0x590280C: handle_response (xcb_io.c:397)
==143081==    by 0x59028E9: _XEventsQueued (xcb_io.c:442)
==143081==    by 0x58F5237: XPending (Pending.c:55)
==143081==    by 0x5140A8D: UnknownInlinedFun (gdkeventsource.c:269)
==143081==    by 0x5140A8D: gdk_event_source_check (gdkeventsource.c:306)
==143081==    by 0x57C0F8D: g_main_context_check (gmain.c:4093)
==143081==    by 0x581DB27: g_main_context_iterate.isra.0 (gmain.c:4273)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081== 
==143081== Invalid read of size 8
==143081==    at 0x4C63113: gtk_drag_finish (gtkdnd.c:961)
==143081==    by 0x4C6874F: gtk_drag_drop_finished.lto_priv.0 (gtkdnd.c:2591)
==143081==    by 0x4C6896C: gtk_drag_abort_timeout (gtkdnd.c:3269)
==143081==    by 0x50E66AD: gdk_threads_dispatch (gdk.c:769)
==143081==    by 0x57C12CD: g_timeout_dispatch (gmain.c:5054)
==143081==    by 0x57C0A30: UnknownInlinedFun (gmain.c:3460)
==143081==    by 0x57C0A30: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
==143081==  Address 0x53ed3155fa1e0ff3 is not stack'd, malloc'd or (recently) free'd
==143081== 
==143081== 
==143081== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==143081==  General Protection Fault
==143081==    at 0x4C63113: gtk_drag_finish (gtkdnd.c:961)
==143081==    by 0x4C6874F: gtk_drag_drop_finished.lto_priv.0 (gtkdnd.c:2591)
==143081==    by 0x4C6896C: gtk_drag_abort_timeout (gtkdnd.c:3269)
==143081==    by 0x50E66AD: gdk_threads_dispatch (gdk.c:769)
==143081==    by 0x57C12CD: g_timeout_dispatch (gmain.c:5054)
==143081==    by 0x57C0A30: UnknownInlinedFun (gmain.c:3460)
==143081==    by 0x57C0A30: g_main_context_dispatch (gmain.c:4200)
==143081==    by 0x581DCC8: g_main_context_iterate.isra.0 (gmain.c:4276)
==143081==    by 0x57BFFEE: g_main_loop_run (gmain.c:4479)
==143081==    by 0x4ACDF6E: gtk_main (gtkmain.c:1329)
==143081==    by 0x12D221: main (main.c:223)
correctmost commented 1 year ago

I was able to capture a screen recording with very basic steps to reproduce the issue.

You can skip from 0:40 - 5:25 because the machine is just waiting for the drag timeout to occur.

https://github.com/correctmost/issue-attachments/blob/main/mate-panel/issue-1356-repro.mp4

(The video is too big to attach to this issue, so you may have to download it.)

lukefromdc commented 1 year ago

Video file is a 4.4 kb text file that probably is a website reference to a video file not the video itself.

I have the window list in-process and assuming you do to as out of process a crash would take down only the applet not the whole panel.I can drag windows back and forth within the window list over and over and never get the crash, nor any warnings about gtk_drag_finish() in ~/.xsession-errors

correctmost commented 1 year ago

Video file is a 4.4 kb text file that probably is a website reference to a video file not the video itself.

When you follow the link, is there an option to View raw? That should download the 14MB .mp4 file.

Screenshot at 2023-07-25 15-11-12

lukefromdc commented 1 year ago

I get "no video with supported format and mime type found" in the browser, but a downloading extension found it.

This is may be unique to my browsers, as I keep most 3ed party widgets and code blocked for privacy reasons. About 80% of the commerical internet fails with my heavy ad and tracker blocking, so don't worry about this.

At any rate I cannot work on this as I cannot duplicate the issue

correctmost commented 10 months ago

I have the window list in-process and assuming you do to as out of process a crash would take down only the applet not the whole panel.I can drag windows back and forth within the window list over and over and never get the crash, nor any warnings about gtk_drag_finish() in ~/.xsession-errors

I can only reproduce the crash with out-of-process applets. (I didn't realize there was a configure switch for in-process/out-of-process applets earlier.)

I found an open merge request that should fix the underlying crash in GTK: https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/6660

nudgegoonies commented 3 months ago

This bug drives me nuts since years. I have a specific order of all my open programs and it gets scrambled somtimes 5 times a day and sometimes it works for 5 days. I am on Debian 12 with MATE 1.26.

(mate-panel:1325879): Gtk-CRITICAL **: 14:42:22.184: gtk_drag_finish: assertion 'GDK_IS_DRAG_CONTEXT (context)' failed
(mate-panel:1325879): Gtk-CRITICAL **: 14:42:22.184: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed
lukefromdc commented 3 months ago

https://gitlab.gnome.org/GNOME/gtk/-/merge_requests/6660 has been sitting for the last seven months, has not even gotten a review. Note that not only MATE but XFCE are reported to be getting this crash.

Best workaround for now is probably to build wncklet (which includes the show desktop and window list applets) in-process so you can drag the window buttons without worrying about crashes.

rlueckl commented 1 month ago

I'm getting the exact same issue after upgrading from Linux Mint 21.3 to 22. I like my windows in a very specific order, but I don't always open them in that order, so I just drag them on the panel to have the order I want. After upgrading to Linux Mint 22 I started getting crashes and segfaults, just like described above. This is really annoying.

When I run mate-panels --replace & from Bash I see:

(mate-panel:23011): Gtk-CRITICAL **: 13:22:56.116: gtk_drag_finish: assertion 'GDK_IS_DRAG_CONTEXT (context)' failed
(mate-panel:23011): Gtk-CRITICAL **: 13:22:56.117: gtk_widget_destroy: assertion 'GTK_IS_WIDGET (widget)' failed

In Syslog:

2024-10-18T13:22:58.500191+02:00 mylaptop kernel: mate-panel[23011]: segfault at 1 ip 00007da973d9ab8c sp 00007ffe546c7f10 error 4 in libgtk-3.so.0.2409.32[7da973a83000+3ae000] likely on CPU 1 (core 0, socket 0)
2024-10-18T13:22:58.500231+02:00 mylaptop kernel: Code: 1e fa 55 48 89 e5 41 56 41 89 ce 41 55 41 89 d5 41 54 41 89 f4 53 48 89 fb e8 f0 1e cf ff 48 85 db 0f 84 c7 00 00 00 48 89 c6 <48> 8b 03 48 85 c0 74 05 48 39 30 74 10 48 89 df e8 bf 6d cf ff 85
2024-10-18T13:22:58.527330+02:00 mylaptop systemd[1]: Started systemd-coredump@11-37340-0.service - Process Core Dump (PID 37340/UID 0). 
2024-10-18T13:22:58.712483+02:00 mylaptop systemd-coredump[37341]: Process 23011 (mate-panel) of user 1000 dumped core.#012#012Module libgcc_s.so.1 from deb gcc-14-14.2.0-4ubuntu2~24.04.amd64#012Module libstdc++.so.6 from deb gcc-14-14.2.0-4ubuntu2~24.04.amd64#012Module libzstd.so.1 from deb libzstd-1.5.5+dfsg2-2
build1.1.amd64#012Module libsystemd.so.0 from deb systemd-255.4-1ubuntu8.4.amd64#012Stack trace of thread 23011:#012#0  0x00007da973d9ab8c gtk_drag_finish (libgtk-3.so.0 + 0x39ab8c)#012#1  0x00007da973da0103 n/a (libgtk-3.so.0 + 0x3a0103)#012#2  0x00007da973da031d n/a (libgtk-3.so.0 + 0x3a031d)#012#3  0x00007da973938
c6d n/a (libgdk-3.so.0 + 0x33c6d)#012#4  0x00007da9733f3522 n/a (libglib-2.0.so.0 + 0x5e522)#012#5  0x00007da9733f248e n/a (libglib-2.0.so.0 + 0x5d48e)#012#6  0x00007da973451717 n/a (libglib-2.0.so.0 + 0xbc717)#012#7  0x00007da9733f2f77 g_main_loop_run (libglib-2.0.so.0 + 0x5df77)#012#8  0x00007da973bfeb45 gtk_main (
libgtk-3.so.0 + 0x1feb45)#012#9  0x00005ba2064acd5d main (mate-panel + 0x28d5d)#012#10 0x00007da97302a1ca __libc_start_call_main (libc.so.6 + 0x2a1ca)#012#11 0x00007da97302a28b __libc_start_main_impl (libc.so.6 + 0x2a28b)#012#12 0x00005ba2064acf05 _start (mate-panel + 0x28f05)#012#012Stack trace of thread 23016:#012#
0  0x00007da97312725d syscall (libc.so.6 + 0x12725d)#012#1  0x00007da97344b40d g_cond_wait (libglib-2.0.so.0 + 0xb640d)#012#2  0x00007da9733bc52b n/a (libglib-2.0.so.0 + 0x2752b)#012#3  0x00007da973424043 n/a (libglib-2.0.so.0 + 0x8f043)#012#4  0x00007da973420c82 n/a (libglib-2.0.so.0 + 0x8bc82)#012#5  0x00007da97309
ca94 start_thread (libc.so.6 + 0x9ca94)#012#6  0x00007da973129c3c __clone3 (libc.so.6 + 0x129c3c)#012#012Stack trace of thread 23020:#012#0  0x00007da97312725d syscall (libc.so.6 + 0x12725d)#012#1  0x00007da97344b40d g_cond_wait (libglib-2.0.so.0 + 0xb640d)#012#2  0x00007da9733bc52b n/a (libglib-2.0.so.0 + 0x2752b)#0
12#3  0x00007da9733bc58c g_async_queue_pop (libglib-2.0.so.0 + 0x2758c)#012#4  0x00007da972dae0fb n/a (libpangoft2-1.0.so.0 + 0xc0fb)#012#5  0x00007da973420c82 n/a (libglib-2.0.so.0 + 0x8bc82)#012#6  0x00007da97309ca94 start_thread (libc.so.6 + 0x9ca94)#012#7  0x00007da973129c3c __clone3 (libc.so.6 + 0x129c3c)#012#01
2Stack trace of thread 23017:#012#0  0x00007da97311b4cd __GI___poll (libc.so.6 + 0x11b4cd)#012#1  0x00007da97345166e n/a (libglib-2.0.so.0 + 0xbc66e)#012#2  0x00007da9733f1a53 g_main_context_iteration (libglib-2.0.so.0 + 0x5ca53)#012#3  0x00007da9733f1aa9 n/a (libglib-2.0.so.0 + 0x5caa9)#012#4  0x00007da973420c82 n/a
 (libglib-2.0.so.0 + 0x8bc82)#012#5  0x00007da97309ca94 start_thread (libc.so.6 + 0x9ca94)#012#6  0x00007da973129c3c __clone3 (libc.so.6 + 0x129c3c)#012#012Stack trace of thread 23019:#012#0  0x00007da97311b4cd __GI___poll (libc.so.6 + 0x11b4cd)#012#1  0x00007da97345166e n/a (libglib-2.0.so.0 + 0xbc66e)#012#2  0x0000
7da9733f1a53 g_main_context_iteration (libglib-2.0.so.0 + 0x5ca53)#012#3  0x00007da972238595 n/a (libdconfsettings.so + 0x7595)#012#4  0x00007da973420c82 n/a (libglib-2.0.so.0 + 0x8bc82)#012#5  0x00007da97309ca94 start_thread (libc.so.6 + 0x9ca94)#012#6  0x00007da973129c3c __clone3 (libc.so.6 + 0x129c3c)#012#012Stack
 trace of thread 23018:#012#0  0x00007da97311b4cd __GI___poll (libc.so.6 + 0x11b4cd)#012#1  0x00007da97345166e n/a (libglib-2.0.so.0 + 0xbc66e)#012#2  0x00007da9733f2f77 g_main_loop_run (libglib-2.0.so.0 + 0x5df77)#012#3  0x00007da97365b422 n/a (libgio-2.0.so.0 + 0x11a422)#012#4  0x00007da973420c82 n/a (libglib-2.0.s
o.0 + 0x8bc82)#012#5  0x00007da97309ca94 start_thread (libc.so.6 + 0x9ca94)#012#6  0x00007da973129c3c __clone3 (libc.so.6 + 0x129c3c)#012ELF object binary architecture: AMD x86-64
2024-10-18T13:22:58.719754+02:00 mylaptop systemd[1]: systemd-coredump@11-37340-0.service: Deactivated successfully.
2024-10-18T13:22:58.725003+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/rhythmbox.desktop does not exist, skipping.
2024-10-18T13:22:58.726616+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/gnome-calculator.desktop does not exist, skipping.
2024-10-18T13:22:58.726925+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/gcalctool.desktop does not exist, skipping.
2024-10-18T13:22:58.727170+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/gnome-terminal.desktop does not exist, skipping.
2024-10-18T13:22:58.727257+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/cinnamon-settings-sound.desktop does not exist, skipping.
2024-10-18T13:22:58.727315+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/xfce4-mixer.desktop does not exist, skipping.
2024-10-18T13:22:58.727336+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/cinnamon-display-panel.desktop does not exist, skipping.
2024-10-18T13:22:58.727359+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/xfce-display-settings.desktop does not exist, skipping.
2024-10-18T13:22:58.727378+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/gnome-system-monitor.desktop does not exist, skipping.
2024-10-18T13:22:58.727401+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: /usr/share/applications/xfce4-taskmanager.desktop does not exist, skipping.
2024-10-18T13:22:58.727419+02:00 mylaptop org.mate.panel.applet.MintMenuAppletFactory[23023]: Binding to Hot Key: Super_L

I have tried resetting the config through:

but nothing helps.

mate-panels 1.27.1